DNS Doctoring 296600

Is there any way of disabling the DNS doctoring of the Pix (v 6.3). We've
just put one in on our network and created a static NAT mapping for the mail
server. If we query any DNS server on the internet from within the network
it shows as the internal address and so for a while we thought that the DNS
had gone screwy! Now it seems apparent that the Pix is intercepting the DNS
replies and changing them to the internal address.

However, there is no DNS fixup and no alias command configured and so now I
can't work out how to disable this feature.

Any ideas anyone?

Chris.



0
Chris
12/19/2003 8:01:05 PM
comp.dcom.sys.cisco 25294 articles. 0 followers. Post Follow

2 Replies
562 Views

Similar Articles

[PageSpeed] 8/11/2015 5:02:15 PM
On Fri, 19 Dec 2003 14:01:05 -0600, Chris wrote:

> Is there any way of disabling the DNS doctoring of the Pix (v 6.3).
> We've just put one in on our network and created a static NAT mapping
> for the mail server. If we query any DNS server on the internet from
> within the network it shows as the internal address and so for a while
> we thought that the DNS had gone screwy! Now it seems apparent that the
> Pix is intercepting the DNS replies and changing them to the internal
> address.
> 
> However, there is no DNS fixup and no alias command configured and so
> now I can't work out how to disable this feature.
> 
> Any ideas anyone?
> 
> Chris.


6.3.1?  There was a bug in 6.3.1 -or- 6.3.2 that did this exact thing.
Upgrade to 6.3.3.

Rik Bain
0
Rik
12/19/2003 8:24:45 PM
"Rik Bain" <rik@remove.bainz.org> wrote in message
news:pan.2003.12.19.14.24.45.39641.7601@remove.bainz.org...
> On Fri, 19 Dec 2003 14:01:05 -0600, Chris wrote:
>
> > Is there any way of disabling the DNS doctoring of the Pix (v 6.3).
> > We've just put one in on our network and created a static NAT mapping
> > for the mail server. If we query any DNS server on the internet from
> > within the network it shows as the internal address and so for a while
> > we thought that the DNS had gone screwy! Now it seems apparent that the
> > Pix is intercepting the DNS replies and changing them to the internal
> > address.
> >
> > However, there is no DNS fixup and no alias command configured and so
> > now I can't work out how to disable this feature.
> >
> > Any ideas anyone?
> >
> > Chris.
>
>
> 6.3.1?  There was a bug in 6.3.1 -or- 6.3.2 that did this exact thing.
> Upgrade to 6.3.3.
>
> Rik Bain

Yup, 6.3(1). Thanks for that. I'll upgrade on Monday.

Much appreciated Rick.

Chris.



0
Chris
12/19/2003 8:54:27 PM
Reply:
Similar Artilces:

DNS timeout
I just went masq behind a dlink wl router. I've got everything setup except 1 thing, DNS. The router says "DNS WAN,* LAN,192.168.0.7 IP (0),53" and from outside I can do "telnet my.i.p.add 53" and get connected, but it just sits there and times out. I can't even telnet 127.0.0.1 53. Named is running. I'm not ever sure what info to put in this post. Tks ...

DNS 7.0
I can't find a setting in Dragon naturally speaking that allows me to hear myself while I speak. The headset I am using (a Labtec LVA --8550) is a stereo headset, so both ears are covered. It seems that DNS turns off the "speakers" while you are dictating. If I were using speakers, this would be a desirable feature. But since I using a stereo headset, I wish to be able to hear my own voice while I dictate. Does anyone know of a setting or a patch that will allow me to do this? Thanks in advance. -- James Woods Software Development Office: (972) 221-5249 Cell: (214) 566-...

Re: What are valid reasons to have wildcards in DNS? #3
>>>>> "Paul" == Paul Vixie <paul@vix.com> writes: Paul> therefore there's not only nothing we SHOULD do to restrict Paul> the use of wildcards, there's also nothing we COULD do to Paul> restrict such use. Not even a BCP which says "Wildcard RRs are considered harmful. Don't use them unless you really know what you're doing. Which you obviously don't if you have to read this BCP..."? I agree 100% there's nothing we could or should do to restrict usage of wildcards. However we could discourage the...

Split View DNS
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 When using split view, can one point to the same file in both views? example: view "blah-internal" { match-clients { internal-users; }; zone "blah.org" in { type slave; file "/var/named/slave/blah.org"; masters { ipaddress; }; }; zone "10.10.10.in-addr.arpa" in { type slave; file "/var/named/slave/10.10.10.reverse"; masters { ipaddress; }; }; }; view "blah-external" { match-clients { any; }; zone "blah.org" in { type slave; file "/var/nam...

DNS reverse sub delegation NXDOMAIN problem, Class C
--089e0160b79a7e136e0500fa6868 Content-Type: text/plain; charset=UTF-8 I am trying to setup a sub reverse delegation to another DNS server., in my case it is a class C However I have a class B which have other entries I need to provide my class B Reverse file - 172.20.rev.txt has below ----------------------------- $ORIGIN 20.172.IN-ADDR.ARPA. NS ns1.test.com 43.222 IN PTR ns1.test.com. 97.201 IN PTR dev1.test.com. .. .. .. etc... ---------------- Now I want to send any reverse queries for 220.20.172.IN-ADDR.ARPA to anot...

Linux DNS Client Against Windows 2000 DNS Server
Hi everybody, How weird is this? I installed a Linux server for the company Intranet (SuSE 9.1 Pro) and gave it a static IP address. I set up the Linux box to use our Windows 2000 Active Directory server for its DNS and that is where it gets weird. It almost works. DNS works fine as far as external (internet) addreses are concerned. They are resolvable and pingable. It is only internal addresses which are problematic and even these are only partially broken. "nslookup" works fine on an internal address when run from the linux box. "host" works fine too. "dig" on...

dns forward windows 2003?
hello i have installed win2003 server + sp1. dns server ist aktivate..=20 now, i will add a "forward" dns-server... but where? or i didn=C2=B4t need it.. this is my first dns-server over windows, under linux ( bind ) you can/mu= st add a forward server... ( sorry for my bad englsih, i hope you understand me.. :) ) thanks ...

DNS
Greetings all, I've just been given a SPARC 20 from work and need to configure it to run on the internet so I can access work from home. I have the host name, IP address, gateway and all that fun stuff working. I can ping any pc on the internet by IP address but DNS does not appear to be resolving. So, the question at last, can anyone tell me where I need to set my DNS servers? I don't see it anywhere. Thanks all, Ron Hagerman --------------050002010206010307040103 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit The clue's in the...

newbie dynamic dns update via dhcp question
Hi NG, I am pretty new on linux network setup. I have been able to setup a dhcp server and a dns server by following some step by step tutorials. I does work, but I have no clue on what I have been doing. I use dhcpd and named for the dhcp server and the dns server. So my first question is does anybody have a good link for me about configuring those two servers. I would like a step by step tutorial, but one that also clearly states what I am doing and why. My second question is, is it possible to have the dhcp server to update the dns server with the machine names it gives IP's to...

Re: DNS Server Host's Network DNS Settings
Niall and Kevin, Thank you both for your exceptionally well-crafted and informative responses. Due to my company's limited resources, I have had to configure our two BIND servers to provide both full recursion for LAN (inside view) queries, and authoritative services for queries originating from the internet (outside view), porting those queries through our firewall and using the option 'query-source address [internal_ip] port 53'. I am sure that this would make the hair on the necks of some BIND administrators stand on end, but, each view has been carefully configured a...

[DNS] Dns cache type
Hi, Does anyone have any idea what kind of algorythms we can use to discard = DNS cache and how to specify it? Thx. Cordialement Jeremy MAURO -- Jeremy MAURO Email: mailto:jeremy.mauro@wanadooportails.com --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.572 / Virus Database: 362 - Release Date: 27/01/2004 =20 ...

error in porting DNS server
Hiiiiiiii All, I am using bind-9.2.0rc7, and cross compiling 2 arm-linux. After configuring and make,make install ,it is able to generate "named" deamon and other supported executables like dig,host etc..,but it didn't generate named.conf file in the path which i have specified using (--prefix while configuring) When i try to port the named daemon on to the target board,it is giving error like(in minicom) "error while loading dynamic libraries : libnsl.so.1 ........" Pls help Thanks in advance ...

DNS question
I have setup DNS in my internal network, but if i setup forward and reverse lookup zones , does it help to resolve names resolution much faster ? Rgds Daniel ...

ANNOYING MAC issue with .local Win Domains and DNS.
http://docs.info.apple.com/article.html?artnum=107800 I had to figure this one out today. Just thought I'd post it in case anyone else uses .local for their internal DNS and has MAC abominations on the network. Wrong group :P "ec" <no@no.com> wrote in message news:aFUsc.26819$wa.4559@fed1read07... > http://docs.info.apple.com/article.html?artnum=107800 > > I had to figure this one out today. Just thought I'd post it in case anyone > else uses .local for their internal DNS and has MAC abominations on the > network. > > In article <aFUsc.26...

DNS Requests
Hi, I have turned off 'named' on my SCO OS 5.0.5 server, yet something is still requesting a DNS transfer from my primary DNS server (I've masked out the actual IP addresses). Anyone know what could be requesting this? IDS:6053 DNS all records request from xxx.xxx.xxx.xx to xxx.xxx.xxx.xxx93 on interface outside Thanks, Don In article <1146847006.223755.247890@j73g2000cwa.googlegroups.com>, "Don" <donlcl@yahoo.com> wrote: > Hi, > > I have turned off 'named' on my SCO OS 5.0.5 server, yet something is > still requesting a DNS tran...

VPN changing dns address?
Hey all, When I try to connect to my works VPN, my dns server gets changed on its own to a specific ip address. normally its set to automatic. I just change it back after it gets changed, and everything works well. If I don't change it back, I lose dns translation on my PC. Typing www.google.com for example results in host unknown errors. If I don't connect to the VPN, my PC works fine, so I know its the symantec vpn doing something. Anyone have any ideas? Thanks Y ...

securing dns against dns attack
hello; my network has been under a dns attack for several days. i have secured all dns severs with the following globals options: allow-transfer { 204.238.34.200; 204.238.34.206; }; allow-query { 204.238.34.0/24; }; allow-recursion { 204.238.34.0/24; }; i have also configured two more dns name servers to basically absorb the attack. absorbing the dns attack does nothing to reclaim the bandwidth used by the attack. currently, my network address block, is being dropped. before i bring the network address block back up i would like to know of any other...

Logging dns just for one zone
Hi, I've activated the logging (queries) in my named.conf. It's ok. But i'd like to activate it just for one zone (not for all the queries received). Is it possible to do that? Thanks! Vincent ...

DNS with kerberos authentication
hi , i having domain server QBIND.COM ( 10.10.50.115 master DNS i also configure in master 3 different subdomain [ shekhar , venkat , callibar] ).And Shekhar.qbind.com (10.10.50.117 Slave DNS) how i can authenticate dns using kerberos. how can implement for my network ? Shekhar ...

Re: Redirect unresolved DNS queries to a host #2
> > <Mark_Andrews@isc.org> wrote in message news:bkdbnm$1hvg$1@sf1.isc.org... > > > > Verisign has partially (.com & .net) done this for you :-) > > > -sven > > > > and it is a bad idea. > > Thank you for the update. But I thought it was beyond dispute that it was a > bad idea... > -sven You may be suprised to know that some people thought what Verisign did was good. Given the question the OP might also think that it was good otherwise he would not have asked how to do it. This sort of thing should be do...

DNS problem #2
I have an issue with my linux firewall sever. I use the DNS of my ISP, but periodically my DNS completely fails. Any program using the DNS to resolve, such as NSLookup or my mail service, will report DNS lookup problems when this happens. I have phoned my ISP a couple of times when this happens to find out the ISP has recently rebooted their DNS server. The problem occurs only 2 or 3 times a year, so isn't a major problem and to fix it I just restart the named process, but I would like to understand and resolve the actual problem. Any help out there? Thanks in advance. -Stephen Brow...

DNS server having DNS server
Scenario: Computer A: doesn't have bind installed. Its DNS points to computer B. Computer B: has bind installed, is a valid DNS server, has its DNS server set to PC C. Computer C:has bind, is a valid DNS server, on another network somewhere. If B does a query for hetzner.co.za, it asks C to do this. Heres the question: A asks for hetzner.co.za, B gets the query, does it do the look-up or does it defer it to C? In article <bnjkon$2ut8$1@sf1.isc.org>, shaun bugler <sb@hetzner.co.za> wrote: >Scenario: >Computer A: doesn't have bind installed. Its DNS p...

Re: Re: Reverse DNS Mapping not working
Now I am getting confused. We have 32 IP Addresses (195.141.214.32 up to 63) and I cannot do reverse mapping for my servers myself? Where do the other ISP's lookup for a reverse mapping then? You see, I need some enlightment on this. Dave > > In article <bikasp$uuk$1@sf1.isc.org>, David Meier > <MEIER@logmail.net> wrote: Hi all, >> >> I am a newbie to this and have the thankful task of administering >> an OpenVMS DNS server that had been set up years ago by some other >> person. Now we get more and more returned emails back wit...

DNS is mandatory text
<no-hat> During the namedroppers meeting I made the proposal that the current ENDS0bis draft include words that made EDNS0 mandatory. The sense of the room was that this was reasonable, even though it will cause some problems. I (personally) have the feeling this is a question of short intense pain vs long dull pain. So I propose that the next version of EDNS0bis contain something like: (feel free to word smith) ENDS is required ENDS was specified in 1999 been on the wire since then, with minimal adverse effects. As number of uses of DNS require larger answers than ...

DNS poisoning block list?
This is about DNS poisoning, possible block lists, and what should be done locally. The SANS INFOCON status has gone to yellow. If you're not already reading SANS or something equivalent (or better???) perhaps you should start. If you need some "quick-clicks" try these: http://isc.sans.org/diary.php http://isc.sans.org/infocon.php http://isc.sans.org/images/status.gif I haven't asked this at SANS, or at my ISP, though maybe I should and will. I don't run my own DNS service locally and depend on my ISP's DNS servers. ...